Re: Anti porn child spam protection 2.0 - ransomware - ACCDFISA

soporte-arsenet wrote:

Dr. Web says:

"We cannot decrypt enciphered files due to modification of the algorithm in the trojan"

I thought this might happen. The person who wrote this malware - or rather, the person who is now running the extortion operation - has been monitoring the main discussions on forums like BleepingComputer and nFocus Technologies. He was actually posting on one of the BleepingComputer threads, taunting the users seeking help, until they banned him. He's still reading the posts, though, and as soon as a possible way to unlock the files is discussed and attempted he modifies the code to remove any weaknesses.

In this case either Dr Web are saying that version 2 of this program is, as the author claims, unbreakable, or the author has made a further change to the encryption algorithm - probably for the second password although, as he says, knowing the second password is not by itself enough.

I don't know if the underlying process is exactly the same as in version 1 - the implication is that the changes have been to the method used to generate the passwords - but this is the summary provided by Wang Xiu Ying in Post #70 of the main BleepingComputer thread - just over one year ago. It is instructive to read the whole thread, if you have time.

Password generation changed again as well. Similar to variant 3 two different passwords are used to encrypt the files on the system. To generate the first password the crypto malware will generate a 50 character long random string. The string is then saved to fvd31234.txt as well as udsjaqsksw.dlls. The random string is than prefixed with a static string to create the first password. As usual the fvd31234.txt file is copied by the attacker to his system and then securely deleted using the fvd31234.bat script. On the next boot the service will securely delete “udsjaqsksw.dlls” as well if still present and fall back to a second password generation algorithm. The second algorithm will calculate the second password based on the boot drive’s volume id, similar to variant 2. While it is possible to generate the second password with ease, it is almost impossible to recover the first password due to the random nature and secure deletion.

So i think there is no way to unlock the files.

And here is one of the best descriptions I have seen of the development of this ransomware. It has not yet been updated to take account of the "Version 2.0" variant.

Re: Anti porn child spam protection 2.0 - ransomware - ACCDFISA

The reason for this email is to indicate that we have received a reply from our laboratories regarding child Porn Anti-Spam Protection.

After analyzing all samples submitted for all affected users and records provided after running the decryption program, our laboratories have confirmed the inability to decrypt the files affected due to improved encryption algorithm used, so NO you can find the key to decrypt the files affected by the attack.

Only in a few cases it has been possible to recover emails and other documents, but never databases or backups affected by this infection.

We deeply regret not being able to find a solution to this figure could give him no help restore the affected files. Both from ESET's labs and from the technical department of ESET Spain, we gain sufficient assurance researching and working for network administrators and customers are aware of the risks they are exposed, both equipment and servers and client computers, and try to increase security of their systems by applying security policies as needed.

The encryption used in these cases was 128-bit AES. Regarding this type of encryption you can indicate that breaking the key by brute force is absolutely unfeasible.

Moreover, it is important to note that this ransomware is fully detected and removed by ESET security products since 2012.

In these cases, the system has been affected by the infection has been possible due to the removal / deactivation prior to infection, antivirus product, whatever, exploiting the following vulnerabilities and also by the use of weak passwords users with access to the servers. Therefore, maintenance and server hardening is critical to be performed continuously to avoid these undesirable situations, following the advice shown at the end of this text and taking into account the Security should not be the only method of protection for these systems.

To prevent future attacks of this type, from the technical department ESETNOD32 in Spain suggest the following actions:

Change the default port used by Terminal Server (3389) with one that is not being used.

Apply patches from Microsoft available for Windows Server 2003 Server and above especially those involving the remote desktop.

Inspect the system access accounts and delete or disable those that are not necessary, especially those with remote desktop access here.

Change passwords. It is essential to use strong passwords (we recommend using numbers, uppercase letters, symbols and also a length of 12 characters minimum) for at least difficult as possible to brute force attack break your security.

Have at least two backups at a time and at least oneof them housed in a different location to the other.

Apply the backups created in the system or replicated system, so eventually, to check that these copies are made correctly in case they were needed later.

Re: Anti porn child spam protection 2.0 - ransomware - ACCDFISA

using rar AES archives with very strong password and this is unreal to crack. If you don't believe read forums about rar - there are only one way to crack it - use bruteforce, but this is only in theory, because to brute passwords like used by us it's need trillions years even if you will use all computers in the World.

The encryption used in these cases was 128-bit AES. Regarding this type of encryption you can indicate that breaking the key by brute force is absolutely unfeasible.

Low-cost GPUs (graphical processer units) that are being configured into massively parallel systems are far better at code-breaking than traditional CPUs. When the encryption algorithms were originally created, people reported it would take tens or hundreds of years in brute-force computing power to break them. But they never envisioned the relatively cheap, massively parallel systems available today using hundreds or thousands of NVidia or AMD GPU cores. These parallel processing machines are really effective at finding patterns and hence decrypting data streams.

The biggest problem here is that the encryption is unique for each affected system. I see decryption codes published in various technical forums followed by disappointed posts saying someone else has tried to use them and they didn't work. Most of the infected servers, for some reason, seem to be in Spanish-speaking countries. At least, most of the forums where this is being discussed are in Spanish. One example is http://www.forospyware.com/t463442.html.

Since none of the anti-virus companies, nor indeed any of the security researchers, has yet claimed to be able to break the encryption algorithm used by this attacker, perhaps it's time to 'think out of the box'.

The only organisation I know of in the Western hemisphere (1) which has the people, the skills, and the resources to undertake the decryption of your data is the US National Security Agency, the NSA. Why not contact them and ask if they would be willing to do this as a Public Relations exercise? They might charge you for doing it, but if they could use this for publicity purposes they would gain a lot of brownie points - and if that doesn't translate too well into Spanish let's say that they might consider it useful as a way of repairing their public image after certain recent disclosures. Of course they might only consider doing this for US companies .... or, considering their remit, for non-US companies.

It's only an idea, but it might just produce a good result. I might even ask them myself.

(1) Okay, not quite the only one. GCHQ could do it, but wouldn't. The French might, but definitely would not. And the Russians almost certainly could. None of them though needs to repair their public image at the moment, whereas perhaps the NSA does.